D-A148  439 


UNCLASSIFIED 


EXTENDED  STOCHASTIC  PETRI  NETS:  APPLICATIONS  AND 
ANALVSIS(U)  WISCONSIN  UNIV-MADISON  MOTOR  BEHAVIOR  LAB 
J  B  DUGAN  ET  AL.  NOV  84  AFOSR-TR-84-1895  AFOSR-84-0122 

F/G  12/1 


AD- A 148  439 


_ _  UNCLASSIFIED _ 

SECURITY  CLASSIFICATION  OF  THIS  PAGE 


u  report  security  classification 

UNCLASSIFIED 


2*.  SECURITY  CLASSIFICATION  AUTHORITY 


REPORT  DOCUMENTATION  PAGE 


lb.  RESTRICTIVE  MARKINGS 


2b  oeclassification/oowngraoing scheoule 


«.  ferforming  organization  refort  numberisi 

CS- 1984-7 


3.  OlSTRIBUTION/AVAl LABILITY  OF  REPORT 

Approved  for  public  release;  distribution 
unlimited. 


5.  MONITORING  ORGANIZATION  REPORT  NUMBERISI 

AFOSR-TR-  8  4  -  1  095 


6a  NAME  OF  FERFORMING  ORGANIZATION  Eb.  OFFICE  SYMBOL  ?d.  NAME  OF  MONITORING  ORGANIZATION 

I  (Ifopplicoblt) 

u  e  n  vers  y  j  Air  Force  Office  of  Scientific  Research 


AOORESS  (City.  S  fit  ond  ZIP  Cod e) 

Department  of  Computer  Science 
Durham  NC  27706 


7b.  AOORESS  (City.  Stott  and  ZIP  Codtl 

Directorate  of  Mathematical  &  Information 
Sciences,  Bolling  AFB  DC  20332-6448 


«.  NAME  OF  FUNOING/SPONSORING  8b.  OFFICE  SYMBOL  9.  PROCUREMENT  INSTRUMENT  IDENTIFICATION  NUMBER 

ORGANIZATION  (I f  applicable ) 

AFQSR _  NM  AFOSR-84-0132 

c.  AOORESS  (City.  Stole  and  ZIP  Code) 


e.  AOORESS  (City.  Stole  and  ZIP  Code)  10.  SOURCE  OF  FUNDING  NOS 

PROGRAM 
ELEMENT  NO. 

Bolling  AFB  DC  20332-6448 _ 61102F 

1.  TITLE  f Include  Security  Classification) 

EXTENDED  STOCHASTIC  PETRI  NETS:  APPLICATIONS  AND  ANALYSIS 


2.  PERSONAL  AUTHOR(S) 

Joanne  Bechta  Dugan,  Kishor  S.  Trivedi,  Robert  M.  Geist  and  Victor  F.  Nicola 


30.  TYPE  OF  REPORT  13b.  TIME  COVEREO  14.  OATE  OF  REPORT  (Ye.,  Mo..  Day)  15  PAGE  COUNT 

Technical  from _  to _  NOV  84  23 


PROJECT 

TASK 

WORK  UNIT 

NO. 

NO. 

NO 

2304 

A5 

17. 

COSAT 1  COOES  1 

FIELO 

GROUP 

SUB.  GR  S 

IB  SUBJECT  TERMS  (Continue  on  reverse  if  necessary  and  identify  by  block  number ) 


IB.  ABSTRACT  (Continue  on  revert#  if  necessary  and  identify  by  block  number) 

■^An  Extended  Stochastic  Petri  Net  (ESPN)  model,  useful  for  modeling  systems  which  exhibit 
concurrent,  asynchronous,  or  nondeterministic  behavior  is  developed.  Applications  demon¬ 
strating  the  flexibility  of  the  model  for  a  variety  of  system  modeling  applications  are 
presented.  Analytic  techniques  for  the  representation  of  a  class  of  ESPNs  as  Markov  or 
semi-Markov  processes  are  discussed,  as  is  the  simulation  of  more  general  models.  Finally, 
DEEP  (the  Duke  ESPN  Evaluation  Package)  is  previewed.  _ 

«  hti  c. 


OTIC  FILE  COPY 


DT!C 

SELECTE 
DEC  1  1  1984 


20  OISTRIBUTION/AVAILABILITY  OF  ABSTRACT  21.  ABSTRACT  SECU 

UNCLASSIFIEO/UNLIMITEO  E  SAME  AS  RPT.  □  OTIC  USERS  □  UNCLASSIFIED 


22a.  NAME  OF  RESPONSIBLE  INOIVIOUAL 

MAJ  Brian  W.  Woodruff 


OD  FORM  1473,  83  APR  EDITION  OF  1  JAN  73  IS  OBSOLETE 


21.  ABSTRACT  SECURITY  CLASSIFICATION 


22b  TELEPHONE  NUMBER 
(Include  Area  Code) 

(202)  767-  5027 


22c  OFFICE  SYMBOL 

NM 


UNCLASSIFIED _ 

SECURITY  CLASSIFICATION  OF  THIS  PAGE 


*  «  •  •  •  •  •  4  4  •  •  «  4  «  •  '  •  *  a  *  *  *  a  *  «  *  •*«  •  ^  a  e  a*  4  *  •  *  a*  a  #  ^  a  *  a  *  *  ^  S  *  ,  »  ,  •  ,*•  .  '*  ' 


AFOSR-TR-  8  4  -  1  095 


CS-1984-7 

Extended  Stochastic  Petri  Nets: 
Applications  and  Analysis 
Joanne  Bechta  Dugan 
Kishor  S.  Trivedi 
Robert  M.  Geist 
Victor  F.  Nicola 


Accession  For 

DUS  GRA&I 

DTIC  TAB 

& 

Unannounced 
Justification _ 

□ 

Bv 

Distribution/ 


I  Availability  Codes 
[Avail  and/or 
Dist  Special 

A’l  1  I 


Approved  for  public  release 
distribution  unlimited. 


2 


AIR  FORTE  OFFTTR  0?  SCIENTIFIC  RESULT  ' 

NOTICE  OF  TTV  '  '  —  tDDTIC 
This  toe'.  i.  -  i  „  „ 

approved  f  jr 

Distributli 
MATTHSri’  J.  KE  L.A 

Extended  Stochastic  Petri  Nets:  1  v  1  s  1  on 

Applications  and  Analysis 


Joanne  Bechta  Dugan 

Department  of  Electrical  Engineering 
Duke  University 


Jftshor  S.  Trivedi 

Department  of  Computer  Science 
Duke  University 


Robert  U.  Geist 

Department  of  Computer  Science 
Clemson  University 


Victor  F.  Nicola 

Department  of  Computer  Science 
Duke  University 


ABSTRACT 

An  Extended  Stochastic  Petri  Net  (ESPN)  model,  useful  for  modeling 
systems  which  exhibit  concurrent,  asynchronous,  or  nondeterministic 
behavior  is  developed.  Applications  demonstrating  the  flexibility  of  the 
model  for  a  variety  of  system  modeling  applications  are  presented.  Ana¬ 
lytic  techniques  for  the  representation  of  a  class  of  ESPNs  as  Markov  or 
semi-Markov  processes  are  discussed,  as  is  the  simulation  of  more  general 
models.  Finally.  DEEP  (the  Duke  ESPN  Evaluation  Package)  is  previewed. 


1.  Introduction 

A  Petri  Net  is  an  abstract,  formal  graph  model  useful  for  representing  systems  which 
exhibit  concurrent,  asynchronous,  or  nondeterministic  behavior.  The  analysis  of  the 
Petri  net  model  provides  information  about  the  system  it  represents,  provided  the  model 
is  a  valid  representation  of  the  system  under  study,  and  the  solution  of  the  model  is 
correct.  Increasing  the  flexibility  of  the  modeling  tool  increases  the  validity  of  the  model, 
but  makes  the  model  correspondingly  more  difficult  to  solve.  The  goal  of  this  paper  is 
twofold.  First,  an  Extended  Stochastic  Petri  Net  (ESPN)  model  is  developed,  and  the  flexi¬ 
bility  of  such  a  model  is  demonstrated  through  a  variety  of  system  modeling  applications. 
Second,  analytic  and  simulation  techniques  for  the  solution  of  an  ESPN  are  derived  and 
demonstrated  in  DEEP  (the  Duke  ESPN  Evaluation  Package). 

Supported  In  pert  by  the  NASA  Langley  Research  Grant  NAG- 1-70,  by  the  National  Science 
Foundation  grant  UCS83-0200,  by  the  Army  Research  Office  grant  DAAG29-B4-K-0045,  and 
by  the  Air  Force  Office  of  Scientific  Research. 


Recall  the  composition  of  a  Petri  Net(PN)  bipartite  graph  [PeteBl]  :  a  set  of  places,  P 
(drawn  as  circles),  a  set  of  franstfions,  T  (drawn  as  bars),  and  a  set  of  directed  arcs,  A, 
which  connect  transitions  to  places  or  places  to  transitions.  Places  may  contain  tokens 
(drawn  as  dots).  The  state  of  a  PN,  called  the  PN  marking,  is  defined  by  the  number  of 
tokens  contained  in  each  place. 

A  place  is  an  input  to  a  transition  if  an  arc  exists  from  the  place  to  the  transition;  a 
place  is  an  output  from  a  transition  if  an  arc  exists  from  the  transition  to  the  place.  A 
transition  is  enabled  when  each  of  its  input  places  contains  at  least  one  token.  Enabled 
transitions  can  fire,  by  removing  one  token  from  each  input  place  and  placing  one  token 
in  each  output  place.  Thus  the  firing  of  a  transition  causes  a  change  of  state  (produces  a 
different  marking)  for  the  PN. 

A  Stochastic  Petri  Net  (SPN)  [Moll82]  is  obtained  by  associating  with  each  transition 
a  so  called  firing  time.  Once  a  transition  is  enabled,  an  exponentially  distributed  amount 
of  time  elapses.  If  the  transition  is  still  enabled,  it  will  then  fire.  A  Generalized  Stochastic 
Petri  Net  (GSPN)  [Mars84]  allows  immediate  (zero  firing  time)  as  well  as  timed  transitions 
(exponentially  distributed  firing  times);  immediate  transitions  are  drawn  as  thin  bars, 
timed  transitions  as  thick  bars. 

An  Extended  Stochastic  Petri  Net  allows  firing  times  to  belong  to  an  arbitrary  distri¬ 
bution.  In  addition  to  the  general  firing  time  distributions,  some  other  extensions  to  Petri 
Nets  are  considered  here.  An  inhibitor  arc  [PeteBl]  from  a  place  to  a  transition  has  a 
small  circle  rather  than  an  arrowhead  at  the  transition.  The  firing  rule  is  changed  as  fol¬ 
lows:  A  transition  is  enabled  when  tokens  are  present  in  all  of  its  (normal)  input  places, 
and  no  tokens  are  present  in  the  inhibiting  input  places.  When  the  transition  fires,  the 
tokens  are  removed  from  the  normal  input  places  and  deposited  in  the  output  places  as 
usual,  but  the  number  of  tokens  in  the  inhibiting  input  place  remains  zero.  A  probabilistic 
arc  from  a  transition  to  a  set  of  output  places  deposits  a  token  in  one  (and  only  one)  of 
the  places  in  the  set.  The  choice  of  which  place  receives  the  token  is  determined  by  the 
probability  labels  on  each  branch  of  the  arc.  In  Figure  1,  when  the  transition  is  enabled, 
it  fires  by  removing  the  token  from  the  input  place,  and  depositing  it  in  either  place  PI 
(with  probability  a)  or  in  place  P 2  (with  probability  1-a). 

A  counter  arc  from  a  place  to  a  transition  is  labeled  with  an  integer  value,  k.  This 
changes  the  firing  rule  such  that  a  transition  is  enabled  when  tokens  are  present  in  all  of 
its  (normal)  input  places  and  at  least  k  tokens  are  present  in  the  counter  input  place. 
When  the  transition  fires,  one  token  is  removed  from  each  normal  input  place,  while  k 
tokens  are  removed  from  the  counter  input  place.  Associated  with  a  particular  counter 
arc  can  be  a  counter- alternate  ore,  which  enables  an  alternate  transition  when  the  count 
is  between  1  and  (k-1),  inclusive.  The  alternate  transition  can  fire  each  time  a  token  is 
deposited  In  the  counting  input  place  until  there  are  k  tokens  present.  The  count 


remains  unchanged  by  the  firing  of  the  alternate  transition,  as  it  removes  no  token  from 
the  counter  input  place.  A  counter-alternate  arc  is  labeled  with  a  Jfc. 

Neither  the  counter  arc  nor  the  counter-alternate  arc  are  true  extensions  to  Petri 
Nets,  as  both  can  be  realized  by  a  cascade  of  normal  places  and  transitions  [Duga84], 
Rather  they  are  useful  shorthand  notations  for  such  a  cascade. 

2.  ESPN  Applications 

2.1.  Modeling  Imperfect  Coverage  in  Fault-Tolerant  Computer  Systems 

The  ESPN  model  was  initially  developed  as  an  aid  in  modeling  imperfect  coverage  in 
fault-tolerant  computer  systems  [Geis84]  for  the  HARP  (the  Hybrid  Automated  Reliability 
Predictor)  project  [Geis83]  at  Duke  University.  The  HARP  reliability  model  is  character¬ 
ized  by  a  behavioral  decomposition  [Triv83]  of  the  overall  model  into  separate  fault¬ 
handling  and  fault-occurrence  submodels.  This  technique  is  based  on  the  observation 
that  the  fault-occurrence  behavior  of  a  system  is  composed  of  relatively  infrequent 
events  while  fault-handling  behavior  is  composed  of  relatively  frequent  events.  Faults 
may  occur  over  periods  of  days  or  even  weeks,  but  detection  and  recovery  may  take  only 
seconds.  The  fault-handling  model  is  solved  for  coverage  factors  which  are  then  used  as 
inputs  to  the  overall  model.  The  overall  model,  which  accepts  these  inputs  as  well  as 
parameters  defining  system  structure  and  fault-occurrence  behavior,  is  then  solved  for 
the  system  reliability  as  a  function  of  time. 

Fault  handling  begins  when  a  fault  occurs  (entry  /)  and  completes  when  the  fault  is 
handled  (exits  R  or  C)  or  when  the  system  fails  (exit  F).  Exit  R  represents  the  correct 
recognition  and  handling  of  a  transient  fault  (called  transient  restoration  ),  while  exit  C 
represents  the  reconfiguration  of  the  system  to  tolerate  a  permanent  or  "leaky"  transient 
fault  (traditionally  called  coverage  ).  Here  I  represents  the  initial  marking  of  the  net. 

Many  issues  must  be  considered  in  the  design  of  a  general  fault-handling  model. 
Among  these  are  the  different  classes  of  faults,  the  available  recovery  mechanisms,  and 
the  various  possibilities  for  reconfiguration.  The  inherent  concurrency  between  the  fault 
activity  and  the  system  fault  treatment  mechanism  can  be  captured  most  effectively  in 
terms  of  an  ESPN.  As  an  example,  consider  the  HfiRP  fault-handling  model  shown  in  Fig¬ 
ure  2.  The  initial  marking  of  this  net  contains  a  token  in  the  place  labeled  'System  OK.’ 
When  a  fault  occurs  in  the  system,  a  token  is  deposited  in  the  place  labeled  'Fault.'  The 
tokens  in  these  two  places  enable  transition  Tl.  The  transition  fires  immediately,  thus 
removing  a  token  from  the  input  places.  A  token  is  then  deposited  in  place  'Active  Inter¬ 
mittent*  or  ’Transient*,  with  probability  1-f  and  t  respectively,  depending  upon  whether 
the  fault  is  intermittent  or  transient,  (t  is  a  user-input  value  defining  the  percentage  of 
faults  which  are  transient).  Simultaneously,  a  token  is  deposited  in  place  'Lurking',  which 
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represents  the  presence  of  a  lurking  (undetected)  fault.  If  the  fault  is  intermittent,  the 
token  which  was  deposited  in  place  'Active  Intermittent'  will  circulate  between  places 
'Active  Intermittent'  and  'Benign  Intermittent,'  signifying  the  oscillation  of  the  fault 
between  the  active  and  benign  states.  If  the  fault  is  transient,  eventually  the  token  which 
was  deposited  in  place  'Transient'  will  be  passed  to  place  'Transient  Gone,'  signifying  the 
disappearance  of  the  fault.  Note  that  if  a  token  exists  in  both  places  'Transient  Gone'  and 
’Lurking’,  that  transition  T5  can  fire.  This  represents  a  transient  fault  which  disappears 
before  its  presence  is  felt. 

While  the  fault  is  lurking  and  is  still  active  (i.e  a  token  in  place  'Lurking’  and  no 
token  in  either  places  ’Benign  Intermittent’  or  'Transient  Gone'),  two  things  may  happen: 
an  error  may  be  produced  or  the  fault  may  be  detected  directly.  These  two  events  are 
represented  by  transitions  T6  and  T7,  respectively.  If  the  self-test  procedure  is  run  while 
the  fault  is  active,  it  will  be  detected  with  probability  d  (d  is  a  user-input  value  defining 
the  detectability  of  stuck-at  faults).  Once  an  error  is  produced,  it  is  detected  with  proba¬ 
bility  q,  or  else  it  propagates  through  the  system,  causing  a  system  failure. 

Once  the  fault  is  detected,  a  token  is  deposited  in  place  'Counter'  which  records  the 
number  of  times  transient  recovery  is  attempted.  As  long  as  there  are  fewer  than  k 
tokens  in  place  'Counter,'  transient  recovery  can  begin.  When  recovery  is  completed,  the 
fault  may  still  exist,  and  the  detection/recovery  cycle  may  repeat.  If  recovery  has  com¬ 
pleted,  and  the  transient  fault  is  gone,  T5  is  enabled,  and  the  system  is  once  again  func¬ 
tioning  correctly.  If  the  recovery  has  completed,  and  the  intermittent  fault  has  gone 
benign,  transitions  T6  and  T7  wait  for  the  fault  to  become  active  again  before  they  are 
enabled. 

If  the  fault  is  detected  too  often  (more  than  k  times),  the  fault  is  then  assumed  to  be 
permanent  in  nature,  and  no  automatic  recovery  process  is  begun.  This  is  modeled  by 
the  accumulation  of  k  tokens  in  place  C.  Once  k  tokens  are  present  transition  Til  is  dis¬ 
abled  (transient  recovery  procedures  are  inhibited)  and  transition  T12  is  enabled  (per¬ 
manent  recovery  procedures  begin).  Once  the  fault  is  determined  to  be  permanent,  a 
diagnosis  procedure  is  invoked  to  isolate  the  faulty  unit;  this  is  represented  by  a  token  in 
place  'Isolate'.  The  diagnosis  procedure  is  successful  with  probability  i.  If  the  faulted  unit 
is  isolated,  the  system  attempts  automatic  reconfiguration,  which  is  represented  by  place 
’Reconfigure.*  Reconfiguration  is  successful  with  probability  r  and  the  token  is  passed  to 
place  ’OK  Degraded’,  which  represents  the  system  again  operating  correctly,  although 
performance  may  be  somewhat  degraded. 

The  user  of  this  model  must  define  the  distributions  for  each  timed  transition,  the 
probability  of  fault  detection  ( d ),  error  detection  (q),  isolation  (i)  and  reconfiguration 
(r).  The  user  must  also  provide  the  number  of  attempts  at  transient  recovery  (fc),  and 
the  percentage  of  faults  which  are  transient  (f ). 
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Let  P/c(T)  denote  the  probability  of  depositing  a  token  in  place  "OK  degraded"  in  an 
amount -of  time  Sr  from  the  time  of  entry  into  the  model.  Likewise,  Pjh(t)  represents  re- 
depositing  a  token  in  the  place  "System  OK,"  and  represents  depositing  a  token  in 

the  "System  Failure"  place.  Let  P/»(«)  (where  *  e  \R,  C,  F  }  denote  the  probability  of 
depositing  a  token  in  the  appropriate  exit  place, 

P/.(“)  =  lim  Pj*(t) 

and  let  F*(t)  be  the  distribution  of  times-to-exit, 

F.(  r)  = 

The  solution  of  the  ESPN  model  should  provide  the  imperfect  distribution  P/*(t)  or  the 
exit  probability  P/»(“)  and  the  time-to-exit  distribution  F»(t).  This  set  of  metrics  is  then 
aggregated  into  the  overall  model  by  using  either  a  first-order  approximation 
[Triv84a,Triv84e]  or  by  using  exact  aggregation  [Geis84,Triv84a]. 

2.2.  Modeling  of  Gracefully  Degrading  Systems 

In  the  dynamic  redundancy  techniques  used  in  many  ultra-reliable  systems  [Siew82], 
redundant  units  are  used  for  error  detection,  correction,  and/or  replacement  of  failed 
units.  They  perform  no  useful  work  until  they  replace  a  failed  on-line  unit.  Graceful 
degradation  techniques,  on  the  other  hand,  use  the  redundant  hardware  as  part  of  the 
system's  normal  resources  at  all  times,  to  increase  performance  as  well  as  system  reliabil¬ 
ity.  The  analysis  of  such  a  system  must  deal  simultaneously  with  aspects  of  performance, 
fault-tolerance,  imperfect  coverage,  and  repair.  The  solution  of  such  a  model  would 
include  measures  of  the  "abilities"  of  the  system;  reliability,  availability  and  a  combina¬ 
tion  of  reliability  and  performance. 

The  ESPN  representation  of  a  gracefully  degrading  system  with  one  component  type 
is  shown  in  Figure  3.  The  number  of  tokens  in  place  px,  i,  represents  the  number  of 
identical  units  that  are  operational.  The  initial  number  of  tokens  in  place  px,  N.  equals 
the  total  number  of  units.  Assuming  as  exponential  failure  law  (for  simplicity  of  explana¬ 
tion),  they  fail  at  rate  tA  (  A  is  the  failure  rate  of  a  single  unit).  Transition  t  x  represents 
units  failing. 

When  a  unit  fails,  a  single-entry,  three-exit  fault-handling  model  (such  as  the  HARP 
fault-handling  model)  is  entered.  The  three  exits  from  the  fault-handling  model,  R  (tran¬ 
sient  restoration),  C  (permanent  fault  coverage),  and  F  (single  point  failure),  are 
represented  by  transitions  tg,  ts  and  f4  respectively.  The  firing  time  distributions  for 
these  transitions  are  Pjp(t),  Pic(t)  and  Pjp( t),  respectively,  from  the  solution  of  the 
fault-handling  model.  If  we  are  using  a  single-fault  model  (such  as  the  HARP  model),  we 
may  assume  (conservatively)  that  the  occurrence  of  a  second  fault  during  the  handling  of 
the  first  fault  causes  immediate  system  failure.  This  is  represented  by  the  counter  arc 
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enabling  transition  tB,  in  which  Jfcj  =  2.  If  one  is  using  a  double  fault  model,  in  which  the 
third  fault  causes  failure,  would  then  be  3. 

Transition  te  returns  the  token  to  place  pt,  and  the  system  continues  operating  with 
no  loss  of  performance.  Transition  fa  represents  the  reconfiguration  of  the  system  to 
bypass  a  faulted  unit,  so  a  token  is  deposited  in  place  pg.  The  failed  unit  can  then 
undergo  some  manual  repair,  and  be  returned  to  the  active  pool  of  resources.  Transition 
te  represents  the  repair  of  a  failed  unit  while  the  system  is  still  operational.  The  repair 
distribution  while  the  system  is  up,  Fjfj( r),  is  the  firing  time  distribution  for  transition  te. 
If  Jt2  units  are  down  at  any  given  time,  the  system  fails  (transition  t 7). 

Once  the  system  has  failed,  the  entire  system  is  taken  off-line  and  repaired.  Thus, 
any  tokens  that  exist  in  places  pltp2  or  p3  must  be  moved  to  place  p4  upon  system  failure. 
This  "flushing  out"  of  places  Pi.pg  andp3  is  accomplished  by  immediate  transitions  f#,fI0 
and  t  j|.  The  repair  distribution  while  the  system  is  down,  Frd(j),  is  the  firing  time  distri¬ 
bution  for  transition  fa.  When  the  system  is  repaired,  all  N  tokens  are  deposited  in  place 
Pi,  thus  there  are  N  arcs  from  transition  tB  to  place  j>1. 

The  solution  of  this  model  yields  measures  of  the  "abilities"  of  the  system. 

Reliability,  the  probability  that  the  system  has  not  failed  by  time  t ,  is  given  by 
R{t )  -  1  -  /¥oh[  token  reached  place  p4  by  time  t  ] 

Availability,  the  probability  that  the  system  is  up  at  time  t ,  is  given  by 

A{t )  =  1  -  /¥o6[  token  in  place  p4  at  time  t ] 

The  steady-state  availability,  the  long-term  probability  that  the  system  is  up,  is  given  by 
A„  =  1  —  Prob[  token  in  place  p4  in  steady  -state  ] 

The  expected  computation  capacity  at  time  t  [Triv84b],  assuming  that  each  unit  has  a 
computation  capacity  of  a.  is  given  by 

ft 

F\  Q  ]  =  2  i  •  a  •  Prob  [  i  tokens  in  place  p  x  at  time  t  ] 

<*i 

The  expected  accumulated  computation  capacity  (termed  accumulated  reward  in 
[Triv84b])  at  time  t ,  can  be  obtained  by  an  additional  integration: 

( 

E[Yt]  =  f  E[Ct]  dx 
o 

Thus,  an  ESPN  model  of  a  gracefully  degrading  system,  besides  being  very  easy  to 
understand,  is  general  enough  to  provide  measures  of  reliability,  availability,  and  perfor¬ 


mance. 


3.  ESPN  Analysis 


3.1.  The  Reachability  Tree 

The  first  step  in  the  analysis  of  any  Petri  Net  is  the  generation  of  the  reachability 
tree.  A  marking  M'  is  said  to  be  immediately  reachable  from  M  if  the  firing  of  some  tran¬ 
sition  T,  which  is  enabled  in  Id,  yields  Id'.  M'  is  reachable  from  Id  if  it  is  immediately 
reachable  from  Id  or  is  reachable  from  any  marking  which  is  immediately  reachable  from 
Id  or  is  Id  itself. 

The  nodes  of  the  reachability  tree  represent  reachable  markings  of  the  net;  the  root 
node  represents  the  initial  marking.  A  directed  edge  points  from  marking  Id  to  marking 
Id’  if  Id'  is  immediately  reachable  from  Id.  The  edge  is  labeled  with  the  transition  T  whose 
firing  produces  Id'  from  M,  and  the  probability  p,  that  AT  is  reached  from  Jtf  when  T  fires. 

As  an  example  of  the  generation  of  a  reachability  tree,  consider  the  submodel  of  the 
HARP  fault-handling  model  shown  in  Figure  4.  The  reachability  tree  for  this  net  is  shown 
in  Figure  5.  Each  marking  in  the  reachability  tree  is  labeled  with  the  names  of  the  places 
which  contain  a  token  in  that  marking. 

A  reduction  of  the  reachability  tree  is  possible,  by  partitioning  markings  into  two 
classes,  and  absorbing  markings  of  one  class  into  the  other.  A  marking  is  called  a  vanish¬ 
ing  marking  [Mars84]  if  it  enables  an  immediate  transition.  A  vanishing  marking  is  so 
named  since  no  time  is  spent  in  this  marking.  If  a  marking  enables  only  timed  transitions 
then  it  is  called  a  tangible  marking.  A  vanishing  marking  can  be  absorbed  into  the  tangi¬ 
ble  marking  that  precedes  it,  by  adjusting  the  next-state  and  probability  labels  on  the 
edges.  Figure  8  represents  the  reduced  reachability  tree  of  Figure  5.  It  is  on  this  reduced 
tree  that  the  analysis  is  performed. 

3.2.  Markovian  Reachability  Tree 

DEFINITION  (  Markovian  Reachability  Tree  ) 

A  reduced  reachability  tree  can  be  called  Markovian  if  it  exhibits  the  Markov 
property,  that  is,  if  all  firing  time  distributions  for  timed  transitions  are 
exponential. 

THEOREM  1:  A  Markovian  reachability  tree  can  be  classified  as  a  Markov  chain,  in  which 
each  state  in  the  Markov  chain  represents  a  unique  marking  in  the  reachability  tree. 

Proof:  See  Molloy  [MollBl],  Natkin  [Natk80j,  and  Marsan,  Balbo,  and  Conte  [Mars84]  who 
have  developed  this  theory  as  (Generalized)  Stochastic  Petri  Nets.  Figure  7  presents  an 
illustration  of  the  relationship  between  an  ESPN  whose  reachability  tree  is  Markovian,  and 
the  resulting  Markov  chain.  In  the  ESPN,  each  timed  transition  is  labeled  with  its  firing 
rate.  In  the  Markov  chain,  the  initial  state  is  state  TL  with  probability  t ,  and  AL  with  pro- 


bability  (1—  t). 

3.3.  Semi-Uarkovian  Reachability  Tree 

DEFINITION  (  Semi-Markovian  Reachability  Tree  ) 

A  reduced  reachability  tree  can  be  called  semi- Markovian  if  it  exhibits  the  Mar¬ 
kov  property  at  j  times  when  marking  changes  occur. 

Three  conditions  concerning  the  transitions  in  the  ESPN  must  be  satisfied  for  the 
reachability  tree  to  be  semi-Markovian.  Before  we  study  these  conditions,  we  need  to 
classify  each  of  the  timed  transitions  into  one  of  three  groups:  exclusive,  competitive,  or 
concurrent. 

Exclusive  Transition  —  A  timed  transition  7}  is  said  to  be  exclusive  if,  for  every  mark¬ 
ing  Mk  in  the  reduced  reachability  tree  that  enables  TJ,  Mk  enables  no  other  transition. 
That  is,  whenever  transition  7J  is  enabled,  no  other  transition  is  enabled. 

Competitive  Transition  —  Let  7*  be  a  non-exclusive  timed  transition.  Then  there 
exists  a  marking  Mk  in  which  7}  and  some  other  transition  Tj  are  enabled.  If  for  every 
such  Tj  in  every  such  marking  Mk,  the  firing  of  Tj  disables  the  transition  Tit  then  7}  is 
called  a  competitive  transition. 

Concurrent  Transition  --  Again  let  7^  be  a  non-exclusive  timed  transition.  Then  there 
exists  a  marking  Mk  in  which  7}  and  some  other  transition  Tj  are  enabled.  If  for  any  such 
Tj  in  any  such  marking  Mk,  the  firing  of  7}  does  not  disable  transition  Tt.  then  7i  is  called 
a  concurrent  transition. 


THEOREM  2:  A  reachability  tree  is  called  semi-Markovian  if  it  satisfies  three  conditions: 

Condition  1:  The  firing  time  of  an  exclusive  transition  may  belong  to  any  arbi¬ 
trary  probability  distribution. 

Condition  2:  The  firing  time  of  a  competitive  transition  may  belong  to  any  arbi¬ 
trary  proability  distribution.  However,  the  firing  time  of  a  transition  that  is  re¬ 
enabled  subsequent  to  being  disabled  is  assumed  to  be  of  the  type  preemptive- 
repeat- different.  That  is,  the  time  between  the  enabling  and  firing  of  the  re¬ 
enabled  transition  is  independent  of  and  has  the  identical  distribution  as  the 
preempted  firing  time. 

Condition  3:  The  firing  time  of  all  concurrent  transitions  must  be  exponentially 
distributed. 

Proof:  It  is  necessary  to  verify  that  a  semi-Markovian  reachability  wee  satisfies  the  Mar¬ 
kov  property  at  the  times  at  which  state  changes  occur.  Recall  that  a  state  represents  a 
marking  for  the  ESPN,  and  that  state  changes  occur  when  transitions  fire.  In  examining 
the  markings  for  the  reachability  tree  it  is  useful  to  distinguish  three  cases. 


Case  1:  The  marking  enables  an  exclusive  transition. 


The  time  spent  in  the  marking  is  the  time  needed  for  the  exclusive  transition  to 
fire  and  is  independent  of  the  past  history  of  the  process. 

Case  2:  The  marking  enables  non-exclusive  transitions. 

Assuming  (without  loss  of  generality)  that  the  marking  enables  both  a  competi¬ 
tive  and  a  concurrent  transition,  the  future  of  the  process  depends  on  which 
fires  first.  If  the  competitive  transition  fires  first,  then  the  concurrent  transi¬ 
tion  may  still  be  enabled  upon  entry  into  the  next  state.  In  this  next  state,  the 
remaining  time  for  the  concurrent  transition  depends  on  the  time  needed  for 
the  competitive  transition  to  fire  in  the  previous  state.  The  memoryless  pro¬ 
perty  of  the  exponential  distribution  assures  us  that  this  remaining  time  distri¬ 
bution  will  be  identical  to  the  original  firing  time  distribution. 

If  the  concurrent  transition  fires  first,  then  by  definition,  the  competitive  transi¬ 
tion  is  disabled.  If  the  process  subsequently  enters  another  marking  in  which 
the  competitive  transition  is  re-enabled,  the  preemptive-repeat-different 
assumption  of  condition  2  assures  us  that  the  firing  time  of  a  re-enabled  transi¬ 
tion  is  identical  to  the  original  firing  time  distribution,  and  is  independent  of  the 
preemption. 

Case  3:  The  marking  enables  no  transition. 

If  a  marking  enables  no  transition,  then  this  marking  is  an  absorbing  state  of 
the  process,  and  no  further  state  changes  may  occur. 

THEOREM  3:  A  semi-Markovian  reachability  tree  can  be  classified  as  a  semi-Markov  pro¬ 
cess  [Fell64],  in  which  each  state  in  the  semi-Markov  process  represents  a  unique  mark¬ 
ing  in  the  reachability  tree. 

Proof:  In  the  ESPN,  the  firing  time  distribution  Tk(t)  is  the  probability  that  transition  K 
fires  in  an  amount  of  time  after  it  is  enabled.  Let  fjr(r)  be  the  corresponding  density 
function.  In  any  subsequent  diagrams,  a  transition  will  be  labeled  with  its  corresponding 
distribution. 

In  the  semi-Markov  process,  the  defective  probability  distribution  /y( r)  (with 
•fy(0)=0:  Fy(“)^l).  is  the  probability  that  a  sojourn  time  in  state  i  has  duration  and 
ends  by  a  jump  to  state  The  next-state  transition  probability  Oy  =  /y  (<*>). 

The  unconditional  sojourn  distribution  in  state  i  is  the  sum  of  the  conditional 
sojourn  time  distributions: 

Si(t)  =  2  Fy(r). 
i 

We  begin  our  analysis  at  some  marking  Mi  (called  state  i  in  the  semi-Markov  pro¬ 
cess).  Suppose  the  firing  of  transition  7}  from  marking  Mi  yields  marking  Mj,  where  7)  is 
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an  exclusive  transition.  Then  the  conditional  sojourn  time  distribution  for  this  state  is 
simply  the  transition  firing  time  distribution. 

^(r)  =  Tj(t) 

Next  suppose  that,  from  marking  Mit  the  firing  of  transition  Tj  yields  Mj  with  proba¬ 
bility  pj,  and  the  firing  of  transition  Tk  yields  Mk  with  probability  pk,  and  that  no  other 
markings  are  immediately  reachable  from  M j.  (Note  that  if  Tj  *  Tk  then  the  two  transi¬ 
tions  are  competing  andp^  =  pk  =1.  If  Tj  —  Tk  then  after  the  firing  of  the  transition,  a  pro¬ 
babilistic  branching  occurs,  where  pj  +  pk  =  1.)  If  T}-  *  Tk  then, 

Fyir)  =  /  (1  -Tk(x))  tj(x)  dx  and,  F*(t)  =  /  (l-7)(x))  tk(x)  dx. 

0  0 

If  Tj  =  Tk  =  T  then, 

Fij  (t)  =  pj  ■  T{t)  and ,  F*  (r)  =  pk  ■  T(t). 

The  conditional  sojourn  time  calculation  generalizes  to  markings  that  enable  more 
than  two  transitions.  Let  A  be  the  set  of  enabled  transition  in  marking  A/t.  Let  atj-  e  A  be 
the  transition  whose  firing  causes  a  jump  from  state  i  to  state  j  with  probability  paij- 
Then  the  conditional  sojourn  time  distribution  is: 


T 

Fij(r)=p  f 
o 


n  (i  -  t,(x)) 

QtA  .a+Oq 


tav(x)  dx- 


4.  Conversion  of  an  Acyclic  Reachability  Tree  to  a  Semi-Harkov  Process 

If  the  firing  time  of  a  concurrent  transition  is  not  exponentially  distributed,  then  the 
corresponding  ESPN  cannot  be  converted  to  a  semi- Markov  process  using  Theorem  3.  But 
it  may  be  possible  to  convert  the  reduced  reachability  tree  to  a  semi-Markov  process  by  a 
judicious  lumping  of  markings  to  form  one  state.  The  conditional  sojourn  time  distribu¬ 
tions  can  then  be  determined  by  performing  a  path  analysis  of  the  markings  in  the 
lumped  state. 

DEFINITION  (  Acyclic  reachability  tree  ) 

A  reduced  reachability  tree  can  be  termed  acyclic  if  each  marking  can  be  visited 
only  once;  that  is,  if  there  are  no  cycles.  Formally,  for  every  marking  M'  that  is 
reachable  from  a  marking  M,  M  must  not  be  reachable  from  AT. 

DEFINITION  (  Concurrency  set ) 

For  each  concurrent  transition  T  whose  firing  time  is  generally  distributed,  (i.e. 
not  exponential),  define  a  concurrency  set,  Cj,  such  that  a  marking  M  is  an  ele¬ 
ment  of  the  concurrency  set  C f  if  any  of  the  following  conditions  are  satisfied: 

1)  M  enables  transition  T, 

2)  a  marking  Mj  (eCr)  is  reachable  from  some  Mk  (tCf)  through  M, 

3)  M  is  the  "closest”  marking  such  that  each  Mj  (tCT)  is  reachable  from  M. 
("Closest"  in  the  sense  that  there  is  no  M'  such  that  M'  is  reachable  from  M 
and  each  Mj  (cCr)  is  reachable  from  M'.) 

4)  M  is  an  element  of  some  concurrency  set  whose  intersection  with  CT  is 
nonempty. 


Once  the  concurrency  sets  have  been  determined,  the  conversion  of  the  reachability 
tree  to  &  semi-Markov  process  may  proceed.  A  marking  M  that  is  an  element  of  no  con¬ 
currency  set  becomes  a  state  in  the  semi-Markov  process,  and  the  calculation  of  the 
sojourn  times  proceeds  as  in  the  semi-Markovian  reachability  tree. 

For  each  concurrency  set,  a  state  in  the  semi-Markov  process  is  formed  by  combin¬ 
ing  all  markings  in  the  set  into  a  single  state.  The  determination  of  the  conditional 
sojourn  time  distributions  in  this  state  consists  of  calculating,  for  each  possible  path 
through  the  lumped  state,  the  time-to-exit  for  each  output  arc.  This  path  analysis  is  best 
explained  through  a  series  of  simple  examples. 

Consider  the  ESPN  in  Figure  8a,  where  TA  and  Tq  have  general  distributions,  while  TB 
is  exponential.  The  corresponding  reachability  tree  is  shown  in  Figure  8b.  In  this  exam¬ 
ple,  Ta  is  an  exclusive  transition,  while  Tg  and  Tc  are  concurrent  transitions.  The  con¬ 
currency  set  associated  with  transition  Tg  contains  markings  BC  and  DC,  the  state  con¬ 
taining  these  markings  will  be  labeled  C.  The  semi-Markov  process  representation  of  this 
tree  is  shown  in  Figure  8c.  The  conditional  sojourn  time  distributions  for  the  merged 
state  C  are  given  by: 

T 

fcMsir)  =  /  (1  -  7*00)  *cOO 
0 

Fcj)g(r)  "  f  7*00  *cOO  d* 

0 

Clearly,  as  the  concurrency  increases,  the  complexity  of  the  path  analysis  also 
increases.  The  level  of  complexity  is  increased  further  when  we  consider  a  sequence  of 
concurre  it  transitions,  some  of  which  are  not  enabled  immediately  upon  entering  the 
merged  state.  As  an  example,  consider  the  ESPN  in  Figure  9a,  where  concurrent  transi¬ 
tion  7*  is  generally  distributed.  The  corresponding  reachability  tree  and  semi— markov 
process  are  in  Figures  9b  and  9c,  respectively.  Since  markings  BC,  BE,  BF  and  BG  each 
enable  transition  Tg,  they  will  be  merged  into  a  single  state,  called  B.  There  are  four  pos¬ 
sible  exits  for  this  state,  each  corresponding  to  a  distinct  path. 

Path  1:  BC-*DC.  The  probability  that  state  DC  is  entered  at  time  x  is  simply  the 
probability  that  Tc  has  not  fired  by  time  x  and  that  7*  fires  at  time  x. 

T 

Fgjxi r)  =  f  (1  “  7c(x))  tB(x)  dx 
0 

Path  2:  BC-*BE-*DE.  The  probability  that  state  DE  is  entered  at  time  x  is  the 
probability  that,  at  some  time  u,  7*  fires,  thus  enabling  transition  Tg.  Between 
u  and  x  Tg  does  not  fire,  and  at  time  x  Tg  fires.  See  Figure  10a  for  a  timing 
diagram  of  this  sequence. 

Fgjx(r)  =  f  f  tB(x)  (1  -  Tg{x-u))  tc(u)  du  dx 
0  0 
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Path  3:  BC-*BE-*BF-*DF.  In  the  timing  diagram  for  this  path,  shown  in  Figure 
10b,  Tc  fires  at  some  time  w,  then  Tg  fires  at  some  time  u^tu,  where  Tg  was 
enabled  at  time  te.  Between  u  and  x  Tg  does  not  fire,  where  Tg  was  enabled  at 
time  u,  an  at  time  x,  Tg  fires. 

r  *  w 

f*Mr(r)  =  f  f  f  tB(x)  (1  —  Tg(x-u))  tg(u- w)  tc(w)  dw  du  dx 
0  0  0 

Path  4:  BC-*BE-*BF-*BG-*DG.  Figure  10c  shows  the  timing  diagram  for  this  path, 
in  which  Tc  fires  at  time  v,  and  enables  Tg  which  fires  at  time  to,  thus  enabling 
Tg.  At  some  time  u,  Tg  fires.  Then  at  time  x^u^w^v ,  Tg  fires,  where  Tg  was 
enabled  at  time  0.  Thus, 

T  9  V  W 

Fgjxi'r)  =  f  f  f  f  h(x)  tg(v—w)  tE(w^u)  tc(v)  dv  dw  du  dx 
oooo 

This  methodology  can  be  validated  [DugaB4]  by  looking  at  the  case  in  which  the  firing 
times  are  all  exponential.  This  system  then  reduces  to  a  Coxian  stage-type  distribution. 

If  cycles  are  permitted  within  a  lumped  state,  then  an  infinite  number  of  possible 
paths  arise,  and  an  automatic  conversion  of  an  arbitrary  ESPN  to  a  semi-Markov  process 
becomes  intractable.  Even  in  acyclic  reachability  trees  it  seems  infeasible  to  perform 
automatic  path  analysis  and  solve  for  the  sojourn  times  on  any  but  the  most  simple  sys¬ 
tems.  In  such  cases  we  can  easily  resort  to  simulation  of  the  ESPN  to  obtain  the  desired 
solution. 

5.  DEEP  (The  Duke  ESPN  Evaluation  Package) 

The  design  of  the  Duke  ESPN  Evaluation  Package,  DEEP,  can  be  divided  into  three 
levels:  input,  analysis,  and  solution.  (See  Figure  1 1.)  DIVE  (The  DEEP  Interactive  Video 
Editor)  allows  for  the  graphic  input  of  an  ESPN,  by  allowing  the  user  to  position  the 
places,  transitions  and  arcs  on  the  screen.  It  interprets  the  net  as  it  is  input  and  checks 
to  see  if  it  is  a  valid  ESPN.  Once  the  net  is  input,  its  description  is  fed  to  another  module, 
Reach.  We  are  also  in  the  process  of  developing  a  textual  input  language  for  DEEP. 

Reach  generates  the  reachability  tree  for  the  net,  and  absorbs  the  vanishing  mark¬ 
ings  into  the  tangible  ones.  Once  the  reduced  reachability  tree  is  generated,  it  is  charac¬ 
terized  as  Markovian,  semi-Markovian,  or  neither.  If  the  reduced  reachability  tree  is  Mar¬ 
kovian,  it  is  solved  as  a  continuous-time  Markov  chain;  if  it  is  semi-Markovian,  it  is  solved 
as  a  semi-Markov  process.  If  it  is  neither,  it  is  simulated. 

ESPN-sim  uses  one  of  two  types  of  simulation,  transient  or  ergodic,  depending  on 
the  measures  desired  by  the  user.  If  the  user  is  interested  in  exit-probabilities  and  time- 
to-exit  distributions  (as  in  modeling  imperfect  coverage),  or  time-dependent  occupation 
probabilities  for  places  (as  in  reliability  modeling)  a  transient  simulation  is  performed.  If 
the  user  is  interested  in  long-term  or  average  measures,  such  as  average  token  count  or 
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transition  utilization,  an  ergodic  simulation  is  performed. 

DEEP  is  undergoing  development  and  testing,  and  only  portions  of  it  have  been  fully 
implemented  thus  far. 

6.  An  Example 

As  an  example  of  the  hierarchical  modeling  of  a  gracefully  degrading  system,  we  will 
solve  an  "instantaneous  coverage"  [Triv84c]  version  of  the  "ability"  model  discussed  in 
Section  2.2.  In  this  model,  assuming  that  the  time  spent  in  the  fault-handling  model  is 
negligible  as  compared  with  fault-occurrence  and  repair  times,  transitions  f2,f3,  and  f4 
are  combined  into  one  immediate  transition  tj  (See  Figure  12).  The  probabilistic  output 
arc  labels  are  functions  of  r  (transient  restoration)  and  c  (coverage)  from  the  solution  of 
the  fault-handling  model.  Transition  f6  can  be  eliminated,  since  we  are  ignoring  the  pos¬ 
sibility  of  near-coincident  faults.  (Methods  of  incorporating  near-coincident  faults  can 
be  found  in  [Triv84c]  and  [Geis84].) 

Before  we  can  solve  the  "ability"  model,  the  fault-handling  model  (Figure  2)  must  be 
solved  for  the  parameters  listed  in  Table  1.  The  imperfect  probability  distributions.  Pm 
and  Pjc  are  shown  in  Figure  13.  For  the  solution  of  the  "ability"  model,  we  need  only 
c  =  PK(°°)  and  r  =  Pm{r). 

Considering  the  system  failure  state  as  an  absorbing  state  (i.e.  Fjm= 0),  the  model  was 
simulated  for  the  parameters  listed  in  Table  2.  The  occupation  probabilities  for  places  px 
and  p4  are  shown  in  Figure  14.  A  plot  of  the  reliability  of  the  system  is  shown  in  Figure 
15a,  while  Figure  15b  shows  a  plot  of  the  expected  computation  capacity  of  the  system, 
assuming  that  a=l. 

To  estimate  the  availability  of  the  system,  the  model  was  again  simulated  for  the 
values  listed  in  Table  2.  Additionally,  off-line  repair  was  allowed,  where  Fjh>(t)  was 
assumed  Normally  distributed  (truncated  at  zero;  mean  =  10  hours,  standard  deviation  = 
2  hours).  A  plot  of  the  estimated  availability  of  the  system  is  shown  in  Figure  16. 

7.  Conclusions 

The  ESPN  model  greatly  enhances  the  modeling  power  of  stochastic  Petri  Nets,  but 
also  increases  the  complexity  of  the  solution  of  the  model.  We  have  developed  both  ana¬ 
lytic  and  simulative  solution  techniques  for  ESPNs;  the  choice  of  solution  technique 
(which  can  be  made  automatic)  depends  on  the  characteristics  of  the  net.  DEEP  (The 
Duke  ESPN  Evaluation  Package)  will  provide  automated  analysis  of  an  arbitrary  ESPN,  and 
will  be  ready  for  initial  testing  in  late  1984. 
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Time 


Distribution 


ACTIVE  Transition 

unif(0,  1  see.) 

BENIGN  Transition 

unif(0,  0.5  see.) 

Transient  Lifetime 

exp(IOO/see) 

DETECT  Transition 

unif(0,  0.4  see.) 

ERROR  Transition 

weibull(IO/see.,  2.5) 

ERROR-DETECT  Transition 

weibull(50/see.,  0.25) 

ISOLATE  Transition 

truncated  normal(f.O,  10) 

RECOVERY  Transition 

2-stage  ertang(IOO/see.)  , 

RECONFIGURE  Transition 

truncated  normal(t.O,  0  5) 

Other  Parameters 

Probability  of  fault  detection  by  self  test: 

0.8 

Probability  of  error  detection: 

o.m 

Probability  of  isolating  detected  fault: 

0.5 

Number  of  recovery  attempts: 

5 

Probability  of  successful  reconfiguration: 

0.75 

Fraction  of  faults  which  are  transient: 

0.5 

Desired  confidence  level: 

m% 

Table  1.  Input  Parameters  for  FaulLflandting  Model 
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Figure  13.  Results  of  Simulation  of  Fault-Handling  Model 
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N  ■  3  units 
Kj  ■  2  units 
_  2 

X  ■  1C  failures/hour 

FR(j  “  2-stage  Erlang  (0.5/hour) 


Table  2.  "Ability*  Model  Parameters 
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Flqure  14.  "Ability"  Model  Solution 
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